sybilattack

8/6/2019 sybilattack

1/22

CIS 700/003: Distributed Systemsmeet oc a etwor s

Sybil attack

March 23, 2010

2010 Andreas Haeberlen1

University of Pennsylvania


2/22

ere are we

Building MAD systems

au s an s e av or

Internet crime Spoofing Sybil attack Today

en a o erv ce

Phishing

Novel opportunities

2010 Andreas Haeberlen

Experience2



3/22

SybilGuard: Defending Against Sybilttac s v a oc a etwor s

Haifeng Yu Michael Kaminsky Phillip B. Gibbons Abraham Flaxman

SIGCOMM 2006




4/22

scuss on po n s

How good are their guarantees?

r y u w

Overhead?

va ua on conv nc ng How reliable is their estimation of N?




5/22

es o s c ass Other defenses against Sybil attacks

SybilLimit




6/22

o y a ac s occur n prac ce

Why is it called a 'Sybil' attack? Based on a 1973 book by F. R. Schreiber about a patient

ca e Sy i Dorsett pseu onym

'Sybil' was suffering from dissociative identity disorder; shemanifested 16 different ersonalities

Do S bil attacks occur in ractice? Yes. For example, they have been observed in the Maze

P2P system (Lian et al., ICDCS 2007) Demonstrated to be surprisingly easy in practice, e.g., in

the widely-used eMule system (Steiner et al., CCR 2007)




7/22

er e enses aga ns y a ac s ypical approach is to rely on the fact that

the attacker is limited in some resource R R can be many different things. Examples:

Storage: Give each node a large amount of uncompressible

data and randomly verify small excerpts. Bandwidth: Send lots of traffic and require the node to

res ond within a certain time interval.

Computation:Ask the node to solve a difficult computational

puzzle whose solution is easy to check (e.g., invert hash) Physical locations: Treat all nodes within some distance as a

single node If attacker has nodes in a few locations, he can fabricate new locations!


IP addresses: Require node to respond to probe packets

7University of Pennsylvania


8/22

er e enses aga ns y a ac s

Real-world identities: Certify mapping to passport

identity

Human attention: To get a new identity, require solving a

as a compu ers canno so ve e.g., Can be defeated by hiring low-wage workers to solve CAPTCHAs

Physical machines: Bind identities to a TPM, etc.

Challenge: Assume the attacker has rAunits of the resource, and the

weakest legitimate user has rM


,the attacker can create rA/rM identities8



9/22

SybilLimit: A Near-Optimal Social Networke ense aga nst y ttac s

Haifeng Yu Michael Kaminsky Phillip B. Gibbons Feng Xiao

Oakland 2008




10/22

o va on y uar s as severa ma or m a ons

number of Sybil nodes to be accepted -

Problem #2: No guarantees if the number of

Example: In a million-node network, SybilGuard can't bound

the number of sybils at all if there are >15,000 attack edges

Problem #3: Assumes fast-mixing property Has never been validated in the real world!


Is not obvious at all, given the presence of communities



11/22

on r u ons o y m

uaran ees are mprove rama ca y Within log n of the optimum for this type of system


Forma proo s or eac property11



12/22

ow o ey o s Idea #1: Use many random routes, but

shorter ones Idea #2: Intersect edges, not nodes

Idea #4: Use a more robust technique to




13/22

eg s er ng a s

Idea #1: Intersect edges, not nodes

(square root of the number of edges between honest nodes)

For each route, remember only the last edge (the 'tail') Verifier rejects suspect if their sets of routes do not share

any tails


Effect #2: Reduces the number of slots available to attacker13



14/22

a ance con on

Idea #2: Limit how often each tail may be

Because there are so many routes now (SybilGuard had just

But we can expect intersections to be distributed randomly,so we can enforce a limit on how often each tail can be used


Result: Limits #sybils accepted through 'escaping' tails



15/22

s ma ng e num er o rou es Idea #3: Use a more robust technique to

estimate the system parameter Recall that SybilGuard needs to estimate the length of the

walk, but this fails if there are too many attack edges

Uses a novel technique that mixes real suspects with somerandom other suspects that are known to be mostly honest

Guarantees that parameter will never be overestimated,

regardless of the attacker's behavior




16/22

ower oun SybilLimit bounds #sybils accepted per attack

edge to O(log n)

Yes, but only by at most log n

An s stem that relies on the same ro ert as S bilLimit(change in mixing time) would accept at least (1) sybils

per attack edge




17/22

x ng me Provable guarantees of SybilLimit rely on the

assumption that social network has small(O(log n)) mixing time

Question: Is this true of real social networks?, , ,

Problem: Cannot show directly that mixing time is O(log n) O(log n) is asymptotic behavior

But it is sufficient to show that small values of w aresufficient for SybilLimit to work well




18/22

x ng me

Result: Small w values are sufficient for large-

Evidence (though not proof) that the small-mixing-timeassumption holds for real social networks




19/22

ow many sy s are accep e now




20/22

a e-away po n s Sybil attacks are easy, dangerous, and real

Observed in deployed P2P systems (e.g., Maze) Not i icu t to o

Can subvert BFT, voting systems, DHT routing, ...

Typically assume the attacker is limited in some resource,

Danger of excluding resource-limited but legitimate users

Attacker assumed to be limited in #trust relationships;

results in small min-cut between sybils and honest users


Implementation far from trivial (see SybilGuard/SybilLimit)



21/22

ere are we

Building MAD systems

au s an s e av or

Internet crime

Spoofing Sybil attack

en a o erv ce

Phishing

ex me

Novel opportunities


Experience21



22/22

ay une

Next week you will learn:

How to defend against Denial of Service attacks


using a Denial of Service attack22


sybilattack

Documents